Need clarification on how to handle multiple OAuth scopes in an endpoint

[dclucas]

The specs make it very clear that in case of multiple security schemes are present in the spec, that should be read as a logical AND.

On the other hand, when describing the list of scopes within a scheme (see paste below), the text seems to imply a logical AND operation as well, without making it 100% explicit.

If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.

So can we make it clear on the text whether those entries should be an "OR", "AND" or whether the specs imply no relationship whatsoever?

[webron]

If it's a list of required scopes, it does mean AND. We can certainly improve the wording though.

[dclucas]

Cool, tks. I will submit another issue against the new spec, to try to cover for scenarios where an "OR" would be required.
On the current text, more than happy to submit a PR to make this more explicit...

[webron]

You're welcome to submit a PR to that effect. As for covering OR, keep in mind we are very close to finalizing this version of the spec, so I suggest you do it fast and we just might be able to squeeze it in. Would suggest that you add a suggestion to the construct itself, otherwise it's going to be a very slim chance it'll get in.